The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis" (1st thru 4th editions), "Windows Registry Forensics",
as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".

Saturday, January 17, 2009

WFA 2/e Status

I wanted to let everyone know that since October, I've been working on the second edition of this book, and I'm almost done with the initial rewrites. I'm finishing up chapter 4, Registry Analysis, now, and this is the last chapter that needs to go to the tech editor. Once this chapter has been sent off, I'll be going back to chapter 1 and addressing the tech editor's comments...the next stop is the publisher!

What's changed...a good deal of the original information is still in the book, but has been added to and in many cases expanded and brought up to date. For example, the binary structure of Registry hives and PE files haven't changed, so there's no reason to take any of that information out of the book...it's still pertinent. However, new tools are available, new techniques have been developed, and I've tried to highlight that in the additional information. In chapter 4, I focus primarily on RegRipper and rip.pl, rather than standalone scripts and tools. The standalone scripts and tools are still there, though...I moved them to another directory on the DVD.

I've also added two new chapters, not based on any specific requests, but rather upon things I've seen over time. Chapter 8 is "Tying It All Together", where I try to illustrate incidents I and others have responded to (in general terms, of course), and show how information from different chapters in the book get pulled together and correlated to create an overall picture of the incident or examination. Chapter 9 discusses getting a great deal of analysis capability out of freely available (in some cases, low cost) tools...the vast majority (albeit not all) of the tools discussed in this chapter were not brought up anywhere else in the book.

This time around, I've included more information about Vista, and while the recent release of Windows 7 Beta makes it too soon to really be included in the book, it does open the door for a third edition. ;-) Some other things that are on the DVD that accompanies the book (besides tools and other items referenced in the chapters) will be a number of PDFs I've written up over the past year or so to act as training manuals...each PDF addresses a single topic and is short enough to print out and take on a plane with you, or simply read at your leisure. I'm also including a document that shows, in detail, how to deploy F-Response EE remotely, and what physical memory from the remote system "looks like" to the analysis system.

From what the publisher tells me, this book should be out by May/June of this year, although it is already up on Amazon for pre-order.